> netsh advfirewall firewall show rule name="TCP/5000"
Rule Name: TCP/5000 ---------------------------------------------------------------------- Enabled: Yes Direction: In Profiles: Domain,Private,Public Grouping: LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: 5000 RemotePort: Any Edge traversal: No Action: Allow Ok.
RedHat, Ubuntu, OpenSUSE LEAP 15.0 등은 시스템 기본 파이어월 관리자로 firewalld 를 제공한다고 한다.
firewalld
firewalld 는 ….
firewalld는 ufw 처럼 iptables 을 구성할 수 있다.
[그림. Firewall Stack (redhat.com)]
네트워크를 지역 관리가 가능해서 다른 네트워크, 지역에 따라 다른 규칙으로 구성해서 사용할 수 있다. For example “Home” and “Office” where all communications with local machines are allowed, and “Public Wi-Fi” where no communication with the same subnet would be allowed.
OpenSUSE LEAP 15.0, RedHat, Ubuntu 등은 시스템 기본 파이어월 관리자로 firewalld 를 제공한다고 한다.
1
$ sudo apt install firewalld
Start firewalld
To start firewalld, enter the following command as root:
1
systemctl start firewalld
root 사용자로 시작한다.
1 2
sudo systemctl enable firewalld sudo reboot
For more information about the service status, use the systemctl status sub-command:
1 2 3 4 5 6
sudo systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Thu 1970-01-01 09:01:48 KST; 48 years 6 months ago
sudo firewall-cmd --state
Stop firewalld
To stop firewalld, enter the following command as root:
1
systemctl stop firewalld
To prevent firewalld from starting automatically at system start, enter the following command as root:
1
systemctl disable firewalld
To make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld, enter the following command as root:
1
systemctl mask firewalld
사용해 보기
firewalld 는 명령라인 firewall-cmd 와 GUI로 firewall-config 명령을 지원한다.
Zone 설정
Get a list of all supported zones
1
firewall-cmd --get-zones
List all zones with the enabled features.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
$ firewall-cmd --list-all-zones ...
public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client http https ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
기본으로 제공하는 Zone
drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.